If you are accepting credit card payments or want to accept credit card payments then you must know what regulations you have to comply with. This blog will give you a brief overview about the entities involved, the terms involved such as PCI, SAQ, and the ways to ensure compliance. Both merchants and customers should have an idea about the common technical terms used in this industry.
PCI SSC: Payment Card Industry Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. This council maintains, evolves, and promotes the Payment Card Industry Security Standards. American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc., are the founding members of the council. This council also provides the important tools required for implementation of the standards such as assessment and scanning qualifications, self-assessment questionnaires (SAQs), training and education, and product certification programs.
PCI DSS: The Payment Card Industry Data Security Standard specifies twelve requirements for compliance. Merchants must undergo PCI DSS audit annually to ensure compliance. They must complete the PCI Compliance DSS SAQs every year and submit it to their transaction bank.
SAQ: Self-Assessment Questionnaire. This is a reporting tool to be used by merchants to document self-assessment results from their PCI DSS assessment.
Merchant: Any entity that accepts payment cards as payment for goods and/or services is considered as a merchant.
Service Provider: Any entity that on behalf of other merchants accepts payment cards as payment for services that result in storing, processing, or transmitting of cardholder data. A merchant can also be a service provider. ISP, managed service providers, etc…, could be service providers. A service provider is not the payment brand.
ASV: Approved Scanning Vendor are entities approved by the PCI SSC to provide external vulnerability scanning services.
The PCI SSC has categorized merchants based on their annual transaction volume. The levels are 1-4. Level 1 merchants handle transactions exceeding 6 million every year. Level 2 merchants handle transactions exceeding 1 million, but less than 6 million. Level 3 merchants handle transactions exceeding 20000, but less than 1 million. Level 4 merchants are those who handle less than 20000 transactions annually.
If you are collaborating with a payment processing partner (service provider), then that partner would guide you in the taking the annual SAQ to ensure PCI compliance. Further, when you accept card payments you must ensure that the card data is safe and secure. There are magnetic stripe cards as well as EMV chip cards. Due to the vulnerabilities in magnetic stripe cards, worldwide support for it is being stopped and EMV chip cards are being encouraged. As a merchant, your POS systems must support both types of cards at present. Further, you must ensure that data being transmitted is in encrypted form to prevent misuse.
Ensuring PCI compliance is the most important factor, and there are many tools such as the HackerGuardian step-by-step compliance wizard and PCI Scan that provide complete guidance to ensure PCI compliance.